If I were to get 2 SSL certificates, one for example.com and one for www.example.com, is there a way to install them both on the site example.com in DirectAdmin? The default interface only allows installing one for both versions.

If not, can I separate the 2 domains into 2 sites? One of them would only be a redirection, so there wouldn't be any duplication of site files.

(Please don't answer with "one certificate should work for both". It doesn't always. SNI also doesn't help me. I already have one half of the certificate pair, and need to configure it. This is a DirectAdmin question)

A given (IP address,port) tuple can only have a single SSL certificate associated with it. So you'll need to have a second IP address available to you to be able to run both certs.
–
BMDanMar 16 '12 at 17:22

@BMDan That is incorrect, with Apache SNI you can run multiple SSL certificates from a single IP address.
–
Ben Lessani - SonassiMar 16 '12 at 21:50

1

@sonassi: I've yet to have a client willing to accept SNI's limitations. Give it another five years (sadly, that's literal—*another* five years) and it'll hit effectively 100% of clients, at which point the argument may change. Even then, personally, the information-disclosure MitM potential of SNI creeps me out.
–
BMDanMar 19 '12 at 2:04

1

Actually only companies that care about IE6 should fear SNI, and thanksfully I don't work for one of those :)
–
gparentMar 20 '12 at 14:20

1

@gparent, it's not just IE6, it's any version of IE running on Windows XP.
–
BrunoMar 20 '12 at 22:35

The one I already have, however, does not (and it's from VeriSign, not exactly cheap). Thanks for trying to help, but this doesn't answer the question.
–
Bart van HeukelomMar 16 '12 at 22:21

1

As of late, all VeriSign certifications are SAN certs. so it should cover both variants of your domain ...
–
Ben Lessani - SonassiMar 16 '12 at 22:31

To check if your certificate will support both domain.com and www.domain.com you should check certificate subject alt name filed in certificate description. You may check this with any browser.
–
jollyrogerMar 21 '12 at 20:00

@sonassi: You can likely ask Verisign to provide a replacement certificate that covers both (I've asked this of GeoTrust in the past when I've accidentally submitted in a way that didn't result in a SAN being attached for both name variations). Otherwise, switch to a cheaper cert that includes SANs; most CAs offer a competitive-replacement program for low, no, or sometimes negative cost (i.e., they give you a rebate).
–
BMDanMar 27 '12 at 13:39

I am personally of the opinion that SNI is not production ready for public internet facing sites in general. There are still plenty of Windows XP boxes out there that would get denied.

This means that generally speaking you can run 1 SSL site on one IP/Port combo. You'll need a second IP to run a second.

Good news is though that you can use a single UCC/SAN(Subject Alternative Name) SSL certificate which has good browser coverage. You can purchase one cert with both variations and use it on one site that supports both hostnames or use it on 2 sites running on different IPs (if your CA allows it).